22 February 2015

"Just as some things must be seen to be believed, some must be believed to be seen." "...so one way to reduce risk is to learn what risk looks like." --Gavin De BeckerThese words from his book The Gift of Fearreminds
us of how many people talk about Operational Risk Management (ORM),
mitigation and implementing risk controls and don't have any context. In
order to truly understand something, you actually have to come
face-to-face with it, experience it and feel it.

For
every 100 people in your organization, how many are a risk? By that we
mean, the factors are high that an individual will do something or be
the target of an incident that causes irreversible harm to themselves
and or the institution during their tenure as an employee.

The actuaries
behind the insurance you purchase for different kinds of hazards or
incidents in the workplace could give you some answers here. How likely
is it that this kind of event occurs in this industry over the course of
one year as an example? Certainly the ratios are known, otherwise the
insurance product would not exist to protect you.

Predictive Analytics and processing of information to predict what has a high
chance of actual occurrence is a whole other matter. In order to be
predictive, you have to have actual experience and it has to be so
innate that it now becomes more than just an intuition.

Some call it
"Self-talk" and others a gut feeling but whatever it is, it got there
because of your past experience. If it's more powerful than that, now
you may just be experiencing something we all know as "Real Fear". You
have to realize that when you get that tingle sensation up the back of
your neck, you are way beyond self-talk and into a whole new dimension
of emotion.

DeBecker's elements of prediction can help us figure out the likelihood of a prediction actually occurring:

1. Measurability - How measurable is the outcome you seek to predict?

2. Vantage - Is the person making the prediction in a position to observe the pre-incident indicators and context?

3. Imminence - Are you predicting an outcome that might occur soon, as opposed to some remote time in the future?

4. Context - Is the context of the situation clear to the person making the prediction?

5. Pre-Incident Indicators - Are there detectable pre-incident indicators that will reliably occur before the outcome being predicted?

6. Experience - Does the person making the prediction have experience with the specific topic involved?

7. Comparable Events - Can you study or consider outcomes that are comparable- though not necessarily identical- to the one being predicted?

8. Objectivity - Is the person making the prediction objective enough to believe that either outcome is possible?

9. Investment - To what degree is the person making the prediction invested in the outcome?

10. Replicability - Is it practical to test the exact issue being predicted by trying it first elsewhere?

11. Knowledge - Does the person making the prediction have accurate knowledge about the topic?

This
OPS Risk professional has realized that these 11 elements exist in many
of the risk management methodologies and systems experienced over the
years. What is remarkable is the degree that we see time and time again,
these elements being left out, avoided or just plain not utilized in
organizations of all sizes and industry sectors.

It's
time that CxO's revisit all of these elements in each of the
Operational Risk Management (ORM) systems that are in place in their
enterprise. From the front door to the intrusion prevention system, in
the HR process from interview to termination and from the training room
to the board room.

Predictive Analytics is a
science that comes in the form of an art. Make sure you have the people
who are masters of the art and experts in implementing the science.

15 February 2015

The "Leadership of Security Risk Professionals" continues to be an executive management priority in light of the asymmetric threat spectrum unfolding across the globe. Operational Risk Management (ORM) provides the umbrella for the diverse and yet interdependent processes that pulse throughout the information rich enterprise. As a leader reflects on this dynamic ecosystem, the vulnerability that still remains most prominent is the failure to effectively integrate risk mitigation tasks by the risk professionals themselves.

How often is your Facility Security Officer (FSO) part of the strategic briefings after a Board of Directors meeting? Explain the amount of information exchange and substance of the daily dialogue between your head of Human Resources (HR) and the Chief Security Officer (CSO). What new strategies have been developed this week between your outside counsel and General Counsel (GC) that have also been communicated to the Tier II management in the organization? How do your customers get educated by your Chief Financial Officer (CFO) in concert with the Chief Information Security Officer (CISO). What metrics are in place to gauge the risk awareness of new industrial espionage schemes being utilized by Transnational Organized Crime (TOC) syndicates or nation states, to prey on Critical Infrastructure owners and operators?

The risk professionals in your organization are operating each day in the fog of unvalidated intel and exploits. What have you done to update, adapt, renew and change the way you will operate since yesterday? It is this level of situational awareness and predictive sense-making that is necessary, if you aspire to become even more resilient tomorrow. Knowing what has changed on each others "Risk Watch" is only one part of the daily real-time analysis. The knowledge most time-sensitive, may be the understanding of the behavioral implications of your people, processes, systems and external events as they unfold before you:

According to counterintelligence presented by the Federal Bureau of Investigation's Insider Threat Program, employees, former employees or contractors -- those who joined the organization with no intent of wrongdoing -- pose the biggest threat.

These findings a few years ago, which are based on 20 years of espionage case investigations, indicate that contrary to popular belief, when it comes to data loss and spying, the real-world insider threat is not a stereotypical hacker who covertly siphons off sensitive information on internal systems and networks.

Authorized users with a level of organizational trust, who are doing legitimate activities with malicious intent, pose the biggest threat, according to Patrick Reidy, the FBI's chief information security officer heading up the Insider Threat Program.

Reidy said the FBI spends about 35% of its response time on these types of incidents. Focusing on education can help minimize these problems; he said these incidents have dropped 7% at the FBI in the past year.

Insider threats are not numerous, according to Reidy, but in terms of damages they are the most costly. Of more than 1,900 incidents reported during a 10-year period, Reidy said about 19% were malicious insider threats. Based on information from multiple, "open source" data breach reports and data loss surveys, the average cost per incident is $412 thousand, and the average loss per industry is $15 million. In several instances, damages reached more than $1 billion.

The "Speed of the Connected Enterprise" can be your best ally, or your greatest adversary. How you integrate, explain, orient, exchange and adapt in real-time, is now the name of the game. Leadership of Security Risk Professionals operating each day on the front lines to the back office of your organization, require Operational Risk Management excellence.

Without it, they will continue to operate in the haze of that invisible adversary we call, complacency. Complacent employees, suppliers and customers will remain your most lofty vulnerability. Your leadership effectiveness of the Security Risk Professionals operating in your organization, partner business and client facilities are continuously at stake.

07 February 2015

Are there growing Operational Risks to our national security and
private sector enterprises as our intelligence communities (IC)
continues it's path of convergence?

We are using the
tools and software to automate as much of the collection and the work
flow as possible before the human "Grey Matter" is necessary to the
final analysis. The fact that 80% of the time is spent on
collection/searching and 20% on actual human processing, tells us that
we have a long way to go.

Getting to the point where we
are spending even more than half of the time doing actual human
analysis is a long way off in to the future. Software systems are
getting automated crawlers to pull more relevant OSINT into the "Big
Data" bases for unstructured query, yet what about the front line
observer who is the witness to an incident. They must process this by
interfacing with a paper based report that is filled in with a #2 pencil
or an electronic form on a PDA to check boxes and select categories
that best describe the observed event that risk managers, watch
commanders and operations directors need for more effective decision
support.

It dawned on us again that perhaps the most
vulnerable area of our entire mission is the actual analytical process.
We have highlighted the "Analysis of Competing Hypotheses" (ACH) methodology in the past:

Use
ACH when the judgment or decision is so important that you can't afford
to be wrong. Use it to record and organize relevant evidence prior to
making an analytical judgment or decision. Use it to identify and then
question assumptions that may be driving your thinking, perhaps without
realizing it. Use it when the evidence you are working with may be
influenced by denial and deception. Use it when gut feelings are not
good enough, and you need a more systematic approach that raises
questions you had not thought of. Use it to prevent being surprised by
an unforeseen outcome. Use it when an issue is particularly
controversial and you want to highlight the precise sources of
disagreement. Use it to maintain a record of how and why you reached
your conclusion.

To our own demise, how much time are
we teaching people how to create .csv files and excel spreadsheets so
they can be imported into a link analysis chart or tool. Getting the
correct, clean and accurate data into the tool is very important. Once
the intel analysts take over and start the Who, What, When, Where
exercises to gain a visual picture of the incidents, actors and cues and
clues associated with the "Modus Operandi" (MO) people start to get way
to excited about the possible outcomes. That is when it's time to stop,
assess and use ACH.

Utilizing an analytic process that
incorporates the use of tools and other aides to the human decision
maker to increase accuracy is only prudent if you have the time to
insure a decision without error. In the absence of time, human
intelligence is the only answer. We should not under estimate the
"Theory of Multiple Intelligences" put forth by Howard Gardner in his
book Frames of Mind.

As
you read this book from 1983 and begin to apply the history of what we
have learned about human cognition and then use this in the context of
an analytic process for intelligence communities, suddenly our current
state of the IC and it's attempt to reform itself seems crystal clear.
What if we organized the competencies of intelligence organizations more
closely to the multiple intelligences that Gardner has been researching
for multiple decades?

The people selected, trained and
leveraged for their "Grey Matter" would be more closely aligned with
what we know about the brain and the way that humans have evolved from a
biological perspective in their cognitive capacities. Is it possible
that we have the wrong people working in the wrong Intel agencies and
the wrong roles?

Linguistic Intelligence

Musical Intelligence

Logical-Mathematical Intelligence

Spatial Intelligence

Bodily-Kinesthetic Intelligence

Personal Intelligence

Is it possible to develop an analytic process that puts the
right people in the right sequence of the process so that the outcomes
are closer to what we really are seeking?

The answer may lie on one of these pages.
They may be the best place to start in order to understand what each of
our IC entities is all about at this point in the intelligence analysis
and outcomes evolution.

01 February 2015

"Leadership of Security Risk Professionals" is in the operational
risk management think tank. A program being designed for corporations
and other organizations who are raising the bar in their personnel
skills, risk knowledge and corporate stewardship of their respective
silos of enterprise security risk.

If you think about
the typical organization who have dozens of risk managers spread across
Legal, Human Resources, Finance, Information Technology and
Facilities/Real Estate; they all have their own individual silos and
risk landscape. The challenge is to develop a strategic leadership
program for these people and the respective skill sets they all should
possess, to provide effective Operational Risk Management in our modern
day dynamic enterprise.

This strategic program developed to address "Leadership of Security Risk Professionals" (LSRP) shall have several key modules:

Behavioral Indicators

Organizational Factors

Personal Factors

Information Communication Technology (ICT)

Situational Awareness

Continuity of Operations

Incident Command

Crisis Response

Wrapped around all of these educational modules shall
be practical exercises, realistic scenarios and hands on testing in a
simulated environment. All delivered within the secure facility of an
off-site location, where everyone eats, sleeps and learns together over
the course of 2.5 days. The think tank outcomes so far, have expressed a
desire to also include a hands-on layer. This will be devoted to counterintelligence awareness building and the active pursuit of economic espionage, trade secrets and intellectual property theft.

The
LSRP program is currently being architected and will be formally
launched in early 2015. In the mean time, we would like to know what
you would like to see included, in terms of skills learned and
practiced. What are the sub-topics that you think the program should
not leave out or that should not be over done? The global nature of
business environments and the pervasive use of ICT for traditional core
office functions are now blending with social media. Now the risks
become even more diverse, ever more so dynamic.

The
convergence of thinking by security risk professionals in an
organization is paramount to effective enterprise stewardship. Does the
HR recruiter and the Chief Security Officer think the same about what
are red flags in the background check of a new potential candidate?
Does the IT admin think about the same red flags that the finance
auditor loses sleep over every night? Probably not.

The
point is that the myriad of security risk professionals inside the
organization have there own focus on the red flags that are in their
respective domains, not all the others inside the same company. This is
a key metric for the outcomes as a result of the delivery of the LSRP
educational and skills based program.

We look forward to your ideas, thoughts and comments about "Leadership of Security Risk Professionals" in the weeks and months ahead.

About

Operational Risk is defined as the risk of loss resulting from inadequate or failed processes, people, and systems or from external events. The definition includes legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes exposure to litigation from all aspects of an institutions activities.

"The Only Thing Necessary For Evil To Triumph Is For Good Men To Do Nothing." --E. Burke